AP-less WPA-Personal cracking
In Chapter 4, we saw how to crack WPA/WPA2 PSK using aircrack-ng. The basic idea was to capture a four-way WPA handshake and then launch a dictionary attack.
The million dollar question is: Would it be possible to crack WPA-Personal with just the client? No access point!
Let's revisit the WPA cracking exercise to jog our memory:
To crack WPA, we need the following four parameters from the four-way handshake—Authenticator Nounce, Supplicant Nounce, Authenticator MAC, and Supplicant MAC. Now, the interesting thing is that we do not need all of the four packets in the handshake to extract this information. We can get this information with four packets; packets 1 and 2 or just packets 2 and 3.
In order to crack WPA-PSK, we will bring up a WPA-PSK Honeypot and, when the client connects to us, only Message 1 and Message 2 will come through. As we do not know the passphrase, we cannot send Message 3. However, Message 1 and Message 2 contain all the information required...
